While searching about research papers about our main concept, it is apparent that the information security awareness has gained more interest in recent years in research field. For example, searching with term “information security awareness” gives 252 results at Elsevier’s ScienceDirect.com, of which nearly half (122) have are written on 2012 and after. The focus of the awareness has shifted from computer and software security towards information security, which can we believe can be explained by the Internet becoming more common and popular among the normal citizens instead of being just tool for researchers, making Internet more compelling for corporations, resulting in more available online services, which again in turn resulted more data being generated. The shift from computer security and information security is also noted by Whit-man and Mattord, who wrote that CIA-triad has been as a conceptual model first for computer security, and later on for information security. (Whitman &
Mattord, 2012). Same can be seen with NIST Special Publications, of which the 800-16 from 1998 is titled to be about computer security, while another publica-tion that is commonly cited in same context, 800-50 from 2003, is about infor-mation security. This combined with the advancement of technology, e.g., disk space and computers in general becoming more inexpensive and faster, and Internet connections becoming more common, resulted in more and more data being generated, which eventually has gained interest of security researchers and legal systems, resulting in things such as data protection and data privacy laws. As more and more data moved from paper to digital format, and espio-nage and other threats also moved to digital world, companies had need to ed-ucate their employees about the new dangers.
Thomas Peltier wrote in article in Computer Fraud & Security Bulletin (1992) titled “Information Security Awareness - Selling IS to the employees”, in which they went through reasoning about why the information security is needed, and why ISA plays an essential role on securing the information. Mar-tin Smith wrote book called “Commonsense Computer Security – Your Practical Guide to Information Protection (2nd Edition)” in 1993, in which part 2 was ti-tled “Responsibilities for Computer Security”, which was about who should handle what and which duties should be assigned to whom in the enterprise environment, and the part 3 of the book contained discussion about information security awareness programs. Charles Wood wrote article in Computer Fraud &
Security Bulletin in 1995 about information security awareness raising methods, in which they went through approximately 50 possible efforts companies could
enroll (Wood, 1995). While the list is in part image of its time, with few tweaks it could have been written today.
Siponen (2000) wrote “The term ‘information security awareness’ is used to refer to a state where users in an organization are aware of – ideally commit-ted to – their security mission (often expressed in end-user security guide-lines).”, and “Similarly, information security awareness is of crucial importance, as information security techniques or procedures can be misused, misinterpret-ed or not usmisinterpret-ed by end-users, thereby losing their real usefulness.”. This first quote differs from NIST’s definition, as in the NIST’s glossary of key infor-mation security terms publication, inforinfor-mation security awareness is defined as
“Activities which seek to focus an individual’s attention on an (information se-curity) issue or set of issues.” (NIST, 2013). This definition is also used by Enisa in their guide on how to raise information security awareness. (Enisa, 2010) However, this has been noted by Puhakainen (2006) in their dissertation, where they categorized 59 information systems security awareness approaches into two categories. In the first category, the ISA is considered as a means to attract users’ attention to information security issues, and in the second category, ISA is considered as users’ understanding of information systems security.
(Puhakainen, 2006) This study will focus more on the aspects of users’ under-standing of information systems security rather than the actions used to im-prove it, as it we want to focus on the knowledge aspect of this issue, as in what should the users know and understand in order to be able to act and behave securely, and to be able to follow security standards and rules.
Farooq and Kakakhel performed study about comparing perceptions and training preferences, where at one part, to better understand the ISA level of their respondents, they asked questions regarding security threats faced by us-ers in everyday life. (Farooq & Kakakhel, 2013) They don’t however open how did they end on those specific topics, and why they were selected instead of other topics that people may face. Their topics were zero day attacks, denial of service, botnets, security incidents, pharming, phishing, social engineering, spam, Trojan horse, and Virus/Worms.
Albrechtsen and Hovden aimed to improve information security aware-ness and behavior through dialogue, participation, and collective reflection in their intervention study. They argue that their selected indexes cover a broad range of aspects of information security awareness and training, but no further arguments for the selected items are given. Their topics were responsibility (contains questions about virus infections, maintaining information security, and complying information security requirements), motivation (contains ques-tions about writing passwords down and locking computer), information secu-rity vs. functionality (contains questions about information secusecu-rity being both-ersome, and whether information security is foremost a technical issue), im-portance of specific information security measures (questions about safe use of e-mail, anti-virus tools, locking computer, usage of internet, non-disclosure), importance of generic security and safety measures (reporting incidents, keep-ing ID-card visible, followkeep-ing guidelines, occupational accident prevention, and
fire protection), reporting (willingness to report observed or suspected infor-mation security incidents), perceived skills and knowledge (having enough skills and knowledge to handle the information security of their working sta-tion), locking the computer, carrying id-cards, checking unfamiliar persons without ID-cards, and manual virus-check. (Albrechtsen & Hovden, 2010)
McCoy and Fowler explain in their paper how they implemented campus-wide security awareness program, their methods of delivery, and their per-ceived importance of establishing a flexible program that can meet demands and still be relevant to their users. (McCoy & Fowler, 2004) The topics they used in their training programs consisted password safety and security, workstation security, internet and email security, and physical security.
Al-Hamdani in his paper about assessment of need and method of deliv-ery for ISA program lists possible topics to use in ISA training program. The list contains following items: password construction, password management, au-thentication, Internet usage, telephone fraud, physical e-mail usage and security, private information, virus protection and detection, PC Security, software li-censing, backups, building access, social engineering, identity theft and home office security. (Al-Hamdani, 2006)
NIST Special Publication 800-50 lists potential awareness topics. The list contains items from following topics (topic may include multiple items): pass-words, malware, policies, e-mails, data backup and storage, social engineering, web usage, incident response, physical access to devices, handheld and mobile devices, wireless security issues, usage of encryption, updates, software usage and licenses, access control, and information confidentiality. (NIST, 2003, pp.
24–25) Many researchers have used the items from the NIST 800-50 publication as their main topics from which they then have produced their questions or training topics (e.g., Awawdeh & Tubaishat, 2014; Kim, 2012).
From those listed in NIST Special Publication 800-50, Kim generated items from following topics to their questionnaire: anti-virus programs, updating vi-rus definitions, regularly scanning computer and storage devices, use of fire-wall, installing software patches, using pop-up blockers, understanding the risk of downloading programs or files, understanding the risk of peer-to-peer file sharing, understanding the risk of clicking on e-mail links, understanding the risk of e-mailing passwords, understanding the risk of e-mail attachments, reg-ularly backup important files, understand the risk of smartphone viruses, need of anti-virus for a smart phone, knowing the strong password characteristics, using different passwords for different systems, and changing passwords regu-larly. (Kim, 2012)
Enisa’s how to raise information security awareness guide states that
“identifying topics related to information security that are critical for the organ-ization and the target audience is the first step of many while organizing an awareness initiative”. They also list topics that should be considered for topics to information security awareness program: information security policies and procedures (which includes e.g., passwords), workstation security, website pol-icies, e-mail security, social engineering, third-party and partner security,
iden-tity verification, technical security mechanisms, information classification and controls, incident response, asset management (e.g., USB flash drives, printing devices, PDA, mobile phones). (Enisa, 2010)